register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Citibank - 'Attn: Citibank Update!'
21-Jul-2004

Summary
Email subject: 'Attn: Citibank Update!'
Scam target: Citibank customers
Distribution medium: HTML email
Sender:

Various : safe@citibank.com; citisafe@citibank.com; safeciti@citibank.com
Sender spoofed? Yes
Scam call to action: ''
Scam goal: Getting victim's credit/debit card information, personal information
Call to action format: a 'Click here' type link
Visible link:

'Click to protect yourself from fraudulent activity!'
Called link: http://219.148.127.67/scripts/confirmation.htm
Phish site on : 219.148.127.67
 
E-mail
 
This is another wide spreaded phish. The interesting thing is that the same phishing message has already been used in a previous scam attempt (the analysis can be found here) :
 
 
As you can see, this message could be pretty convincing to the average user. It is also quite urging and can scare people into believing it - and clicking the link.
 
Web Site
Visible link:

'Click to protect yourself from fraudulent activity!'
Called link: http://219.148.127.67/scripts/confirmation.htm
Phish site on : 219.148.127.67
 
This site is definitely more tricky than the previous one using the same message. It uses a very clever phish technique - it opens the legitimate site in the background, and the phish as a pop-up:
 
 
This way, a link between the two is suggested, that is however not factual. the phish site (the pop-up) is a completely different one from the legitimate one.

The next, and really dangerous trick is that the phish actually checks whether the credit card number entered is valid:
 
 
And a clarification - the phish won't actually check that this very card is on a Citibank account. It simply uses the information on credit card numbers (widely available) to check whether the number is a valid one - i.e. within a certain range.
 
And this is the information found in the WHOIS (ARIN) database on the phishing site:
 
WHOIS data:

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 219.0.0.0 - 219.255.255.255
CIDR: 219.0.0.0/8
NetName: APNIC5
NetHandle: NET-219-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET
 
It should be noted that a lot of the recent phish sites are hosted on IPs within the 'Asia Pacific Network Information Centre' IP range.